Closed Bug 764402 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ EnterIon] with gcPreserveCode

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 763989

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

Attached file Testcase for shell
The attached testcase crashes on ionmonkey revision 71b71dcbf9fe (run with --ion -n -m --ion-eager).
Valgrind trace:


==22822== Invalid read of size 1
==22822==    at 0x4032177: ???
==22822==    by 0x813237: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1110)
==22822==    by 0x813530: js::ion::Cannon(JSContext*, js::StackFrame*) (Ion.cpp:1138)
==22822==    by 0x52A0E4: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2544)
==22822==    by 0x51B299: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:286)
==22822==    by 0x51BF4F: js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:474)
==22822==    by 0x51C1D1: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:512)
==22822==    by 0x44DEC3: EvaluateUCScriptForPrincipalsCommon(JSContext*, JSObject*, JSPrincipals*, JSPrincipals*, unsigned short const*, unsigned int, char const*, unsigned int, JS::Value*, JSVersion) (jsapi.cpp:5378)
==22822==    by 0x44DF9C: JS_EvaluateUCScriptForPrincipals (jsapi.cpp:5389)
==22822==    by 0x44E181: JS_EvaluateUCScript (jsapi.cpp:5423)
==22822==    by 0x40A995: Evaluate(JSContext*, unsigned int, JS::Value*) (js.cpp:891)
==22822==    by 0x51390A: js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) (jscntxtinlines.h:395)
==22822==  Address 0xfffa80000c714fdb is not stack'd, malloc'd or (recently) free'd
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
A testcase for this bug was already added in the original bug (bug 763989).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.